Hoare Logic and Model Checking

Transcription

1 Hoare Logic and Model Checking Kasper Svendsen University of Cambridge CST Part II 2016/17 Acknowledgement: slides heavily based on previous versions by Mike Gordon and Alan Mycroft

2 Introduction In the previous lecture we saw the informal concepts that Separation Logic is based on. This lecture will introduce a formal proof system for Separation logic present examples to illustrate the power of Separation logic The lecture will be focused on partial correctness. 1

3 A proof system for Separation logic

4 Separation Logic Separation logic inherits all the partial correctness rules from Hoare logic that you have already seen and extends them with the frame rule rules for each new heap-primitive Some of the derived rules for plain Hoare logic no longer hold for separation logic (e.g., the rule of constancy). 2

5 The frame rule The frame rule expresses that Separation logic triples always preserve any resources disjoint from the precondition. {P} C {Q} mod(c) FV (R) = {P R} C {Q R} The second hypothesis ensures that the frame R does not refer to any program variables modified by the command C. 3

6 The heap assignment rule Separation logic triples must assert ownership of any heap-cells modified by the command. The heap assignment axiom thus asserts ownership of the heap location being assigned. {E 1 } [E 1 ] := E 2 {E 1 E 2 } Here we use E 1 as shorthand for v. E 1 v. 4

7 The heap dereference rule Separation logic triples must ensure the command does not fault. The heap dereference rule thus asserts ownership of the given heap location to ensure the location is allocated in the heap. {E v X = x} X := [E] {E[x/X ] v X = v} Here the auxiliary variable x is used to refer to the initial value of X in the postcondition. 5

8 Separation logic The assignment rule introduces a new points-to assertion for each newly allocated location: {X = x} X := cons(e 1,..., E n ) {X E 1 [x/x ],..., E n [x/x ]} The deallocation rule destroys the points-to assertion for the location to be deallocated: {E } dispose(e) {emp} 6

9 Swap example To illustrate these rules, consider the following code-snippet: C swap A := [X ]; B := [Y ]; [X ] := B; [Y ] := A; We want to show that it swaps the values in the locations referenced by X and Y, when X and Y do not alias: {X v 1 Y v 2 } C swap {X v 2 Y v 1 } 7

10 Swap example Below is a proof-outline of the main steps: {X v 1 Y v 2 } A := [X ]; {X v 1 Y v 2 A = v 1 } B := [Y ]; {X v 1 Y v 2 A = v 1 B = v 2 } [X ] := B; {X B Y v 2 A = v 1 B = v 2 } [Y ] := A; {X B Y A A = v 1 B = v 2 } {X v 2 Y v 1 } 8

11 Swap example To prove this first triple, we use the heap-dereference rule to derive: {X v 1 A = a} A := [X ] {X [a/a] v 1 A = v 1 } Then we existentially quantify the auxiliary variable a: { a. X v 1 A = a} A := [X ] { a. X [a/a] v 1 A = v 1 } Applying the rule-of-consequence we obtain: {X v 1 } A := [X ] {X v 1 A = v 1 } Since A := [X ] does not modify Y we can frame on Y v 2 : {X v 1 Y v 2 } A := [X ] {(X v 1 A = v 1 ) Y v 2 } Lastly, by the rule-of-consequence we obtain: {X v 1 Y v 2 } A := [X ] {X v 1 Y v 2 A = v 1 } 9

12 Swap example For the last application of consequence, we need to show that: (X v 1 A = v 1 ) Y v 2 X v 1 Y v 2 A = v 1 To prove this we need proof rules for the new separation logic primitives. 10

13 Separation logic assertions Separation conjunction is commutative and associative operator with emp as a neutral element: P Q Q P (P Q) R P (Q R) P emp P Separation conjunction is monotone with respect to implication: P 1 Q 1 P 2 Q 2 P 1 P 2 Q 1 Q 2 11

14 Separation logic assertions Separating conjunction distributes over disjunction and semi-distributes over conjunction: (P Q) R (P R) (Q R) (P Q) R (P R) (Q R) Taking R X 1 Y 1, P X 1 and Q X 1 yields a counterexample to distributivity over conjunction in the other direction: = (P R) (Q R) (P Q) R 12

15 Separation logic assertions An assertion is pure if it does not contain emp, or. Separation conjunction and conjunction collapses for pure assertions: P Q P Q P Q P Q (P Q) R P (Q R) when P or Q is pure when P and Q are pure when P is pure 13

16 Verifying abstract data types

17 Verifying ADTs Separation Logic is very well-suited for specifying and reasoning about data structures typically found in standard libraries such as lists, queues, stacks, etc. To illustrate we will specify and verify a library for working with linked lists in Separation Logic. 14

18 A linked list library First we need to define a memory representation for our linked lists. We will use a singly-linked list, starting from some designated head variable that refers to the first element of the list and terminating with a null-pointer. For instance, we will represent a list containing the values 12, 99 and 37 as follows head

19 Representation predicates To formalise the memory representation, Separation Logic uses representation predicates that relate an abstract description of the state of the data structure with its memory representations. For our example, we want a predicate list(head, α) that relates a mathematical list, α, with its memory representation. To define such a predicate formally, we need to extend the assertion logic to reason about mathematical lists, support for predicates and inductive definitions. We will elide these details. 16

20 Representation predicates We are going to define the list(head, α) predicate by induction on the list α. We need to consider two cases: the empty list and an element x appended to a list β. An empty list is represented as a null-pointer list(head, []) = def head = null The list x :: β is represented by a reference to two consecutive heap-cells that contain the value x and a representation of the rest of the list, respectively list(head, x :: β) = def y. head x (head + 1) y list(y, β) 17

21 Representation predicates The representation predicate allows us to specify the behaviour of the list operations by their effect on the abstract state of the list Imagine C push is an implementation of an push operation that pushes the value stored in variable X to the front of the list referenced by variable HEAD and stores a reference to the new list in HEAD We can specify this operation in terms of its behaviour on the abstract state of the list as follows {list(head, α) X = x} C add {list(head, x :: α)} 18

22 Representation predicates We can specify all the operations of the library in a similar manner {emp} C new {list(head, [])} {list(head, α) X = x} C push {list(head, x :: α)} {list(head, x :: α)} C pop {list(head, α) RET = x} {list(head, [])} C pop {list(head, []) RET = null} {list(head, α)} C delete {emp} 19

23 Implementation of push The push operation stores the HEAD pointer pointer into a temporary variable Y before allocating two consecutive heap-cells for the new list element and updating HEAP: C push Y := HEAD; HEAD := cons(x, Y ) We wish to prove it satisfies the following specification: {list(head, α) X = x} C push {list(head, x :: α)} 20

24 Proof outline for push Here is a proof outline for the push operation. {list(head, α) X = x} Y := HEAD {list(y, α) X = x} HEAD := cons(x, Y ) {list(y, α) HEAD X, Y X = x} {list(head, X :: α) X = x} {list(head, x :: α)} For the cons step we frame off list(y, α) X = x. 21

25 Implementation of delete The delete operation iterates down over the list, deallocating nodes until it reaches the end of the list. C delete X := HEAD; while X NULL do Y := [X + 1]; dispose(x ); dispose(x + 1); X := Y To prove that delete satisfies its intended specification, {list(head, α)} C delete {emp} we need a suitable invariant: that we own the rest of the list. 22

26 Proof outline for delete {list(head, α)} X := HEAD; {list(x, α)} { α. list(x, α)} while X NULL do { α. list(x, α) X NULL} (Y := [X + 1]; dispose(x ); dispose(x + 1); X := Y ) { α. list(x, α)} {list(x, α) (X NULL)} {emp} 23

27 Proof outline for loop-body of delete To verify the loop-body we need a lemma to unfold the list representation predicate in the non-null case: { α. list(x, α) X NULL} { v, t, α. X v, t list(t, α)} Y := [X + 1]; { v, α. X v, Y list(y, α)} dispose(x ); dispose(x + 1); { α. list(y, α)} X := Y { α. list(x, α)} 24

28 Concurrency (not examinable)

29 Concurrency Imagine extending our WHILE p language with a parallel composition construct, C 1 C 2, which executes the two statements C 1 and C 2 in parallel. The statement C 1 C 2 reduces by interleaving execution steps of C 1 and C 2, until both have terminated, before continuing program execution. For instance, (X := 0 X := 1); print(x ) will randomly print 0 or 1. 25

30 Concurrency Adding parallelism complicates reasoning by introducing the possibility of concurrent interference on shared state. While separation logic does extend to reason about general concurrent interference, we will focus on two common idioms of concurrent programming with limited forms of interference: disjoint concurrency well-synchronised shared state 26

31 Disjoint concurrency Disjoint concurrency refers to multiple commands potentially executing in parallel but all working on disjoint state. Parallel implementations of divide-and-conquer algorithms can often be expressed using disjoint concurrency. For instance, in a parallel merge sort the recursive calls to merge sort operate on disjoint parts of the underlying array. 27

32 Disjoint concurrency The proof rule for disjoint concurrency requires us to split our resources into two disjoint parts, P 1 and P 2, and give each parallel command ownership of one of them. {P 1 } C 1 {Q 1 } {P 2 } C 2 {Q 2 } mod(c 1 ) FV (P 2, Q 2 ) = mod(c 2 ) FV (P 1, Q 1 ) = {P 1 P 2 } C 1 C 2 {Q 1 Q 2 } The third hypothesis ensures C 1 does not modify any program variables used in the specification of C 2 and vice versa. 28

33 Disjoint concurrency example Here is a simple example to illustrate two parallel increment operations that operate on disjoint parts of the heap: {X 3 Y 4} {X 3} {Y 4} A := [X ]; [X ] := A + 1 B := [Y ]; [Y ] := B + 1 {X 4} {Y 5} {X 4 Y 5} 29

34 Well-synchronised shared state Well-synchronised shared state refers to the common concurrency idiom of using locks to ensure exclusive access to state shared between multiple threads. To reason about locking, Concurrent Separation Logic extends separation logic with lock invariants that describe the resources protected by locks. When acquiring a lock, the acquiring thread takes ownership of the lock invariant and when releasing the lock, must give back ownership of the lock invariant. 30

35 Well-synchronised shared state To illustrate, consider a simplified setting with a single global lock. We write I {P} C {Q} to indicate that we can derive the given triple assuming the lock invariant is I. I {emp} acquire {I locked} I {I locked} release {emp} where I is not allowed to refer to any program variables. The locked resource ensures the lock can only be released by the thread that currently has the lock. 31

36 Well-synchronised shared state example To illustrate, consider a program with two threads that both access a number stored in shared heap cell at location x in parallel. Thread A increments the number by 2 and thread B multiplies the number by 10. The threads use a lock to ensure their accesses are well-synchronised. Assuming x initially contains an even number, we wish to prove that x is still even after the two parallel threads have terminated. 32

37 Well-synchronised shared state example First, we need to define a lock invariant. The lock invariant needs to own the shared heap cell at location x and should express that it always contains an even number: I = def v. x v even(v) 33

38 ... Assuming the lock invariant I is v. x v even(v), we have: {X = x emp} {X = x emp} {X = x emp} acquire; acquire; {X = x I locked} {X = x I locked} A := [X ]; [X ] := A + 2; B := [X ]; [X ] := B 10; {X = x I locked} {X = x I locked} release; release; {X = x emp} {X = x emp} {X = x emp} 34

39 Summary Abstract data types are specified using representation predicates which relate an abstract model of the state of the data structure with a concrete memory representation. Separation logic supports reasoning about well-synchronised concurrent programs, using lock invariants to guard access to shared state. Suggested reading: Peter O Hearn. Resources, Concurrency and Local Reasoning. 35